Signing Installation Packages

In OS X, installers are known as packages. The trend in OS X is to sign anything going onto a computer so that it can then be installed without concern that the product is not authentic. The productsign command provides the ability to sign packages in much the same way that the codesign command can be used on apps. For example, let’s say that we wanted to sign a package called Alpha.pkg in /tmp with Apple DeveloperID 31415926535897932384626 and have it result in a new package, Omega.pkg in the same directory. The command would be as follows:
productsign --sign 'Developer ID Installer: 31415926535897932384626'
'/temp/Alpha.pkg' '/temp/Omega.pkg'
You can also timestamp the signing by adding a –timestamp option or disable trusted timestamps with the –timestamp=none. You can also indicate a keychain using the –keychain option or –cert to indicate a certificate to embed in the archive. Once signed, you can then test the signing using the spctl command along with the –assess option. The –type option would also indicate a type of install, resulting in the following for Omega.pkg:
spctl --assess --type install /temp/Omega.pkg